BBVA Mexico: How to Protect Corporate Clients Against Social Engineering and Other Attacks
We recently joined BBVA Mexico to discuss the security technology they are using to protect their corporate banking clients from phishing scams and other types of fraud attacks.
BBVA is one of the largest financial institutions in the world with operations across the globe, including Latin America. In 2020, BBVA was selected as the best bank in Latin America by Euromoney magazine. BBVA is also the largest bank in Mexico, where our guest speaker, Omar Bolaños, is based. Mr. Bolaños is the Vice President of Cash Management at Corporate & Investment Banking (CIB) for BBVA México.
During the discussion, Mr. Bolaños explained how BBVA is focused on making digital banking secure and convenient for their commercial clients, particularly against social engineering and person-in-the-middle attacks (also referred to as man-in-the-middle attacks). If you missed this popular presentation, below is a 5-minute summary. You can also access the full presentation on-demand. (in Spanish only)
What is Social Engineering?
When cybercriminals manipulate people in order to steal valuable and sensitive information, it’s referred to as a social engineering attack. Almost every type of cybersecurity attack contains some kind of social engineering tactic.
Here are some of the most common types of social engineering attacks:
One of the most common social engineering attacks is phishing. This is when social engineering is used to defraud an online account holder of their financial information or login credentials by posing as a trusted identity such as a bank.
Phishing is a form of social engineering that takes advantage of the natural human tendency to trust. Phishing scams often impersonate well-known brands and trusted individuals, appearing deceptively legitimate when executed carefully. Phishing is performed in multiple ways, including through SMS text messages (smishing), verbal scams (vishing, i.e. through phone calls), messaging services such as Skype, and social media messages.
The most common form of phishing attack is email. A phishing email aims to create a sense of urgency, often by alerting the user that their account is at risk. Recipients are then persuaded to click links that:
- Redirect them to a fake banking website designed to capture their login credentials, or
- Tell the recipient to open an attachment that, in reality, will install a piece of credential-harvesting malware. (In the case of mobile users, they don’t even have to download an attachment. Instead, a malicious link within a text message can direct a user to a web page that automatically downloads malware to their device.)
Malware can also eavesdrop on communications between the client and the bank, and send that back to the attacker in order to stage a cyber attack.
Another example of social engineering is baiting. As its name implies, baiting attacks use a false promise to lure a victim’s curiosity. Online forms of baiting consist of alluring ads that lead to malicious websites or that encourage users to download a malicious software or application.
Pretexting uses a deceptive identity for establishing trust with their victim by impersonating co-workers, police, government officials, or other persons who have a right-to-know authority. Personal data & confidential information (i.e. social security numbers, personal addresses, credit card or bank account information etc.) is then gathered to misuse.
Tailgating attack is a social engineering technique used by cyber criminals to help gain unauthorized access to a restricted or password-protected area by piggybacking or trailing someone with authorized access.
Ways to Help Prevent Social Engineering
Transactions made by corporate banking clients are typically much larger and more frequent than personal banking clients. This has led to an increase in spear phishing, which is a more focused form of phishing that takes aim at specific high-value targets, rather than at random individuals.
Most banks rely on two-factor authentication (2FA) apps and devices for user authentication at login as well as for authorizing transactions like payments and money transfers. The one-time passcodes issued by an authenticator app or hardware authenticator device like Digipass are also used to fend off social engineering attacks. Also, spam filters, firewalls or antivirus software are used to protect against cyber attacks.
OneSpan’s Cronto technology goes a step further, without compromising convenience. Cronto codes are similar to QR codes, containing encrypted data specific to each transaction. When Cronto codes are displayed on a bank’s online portal, the client scans it with their OneSpan Digipass device or with a verified trusted smartphone, unlocking a one-time passcode that can only be read by that specific customer on their specific phone. The code then authorizes the payment, money transfer, or other financial transaction.
Cronto technology also provides an additional layer of security against person-in-the-middle attacks. In these attacks, cybercriminals intercept digital transactions through malware or by setting up malicious Wi-Fi hotspots. Either way, any data they transfer may be compromised and even maliciously altered.
How does Cronto help defend against this scenario? If the transaction data has been altered by an attacker (referred to as the person in the middle because the attacker has injected themselves into the communication between the client and the bank without them knowing), it will not match the Cronto code and it won't be possible to authorize that transaction.
Cronto solutions do this by creating a unique digital banking signature for each transaction, using details such as account number, transaction amount or any other text or messaging the bank wants to send. It preserves data integrity and ensures authenticity. This means that if a malicious actor intercepts a financial transaction as it travels from the client’s computer to the bank’s server – and alters the transaction details to increase the amount and reroute the funds to a different account – it will not be possible to authorize the transaction and thus the bank will cancel it.
By deploying OneSpan’s Cronto solutions, the bank is in charge of the transaction authorization process. Only the bank can initiate the creation of a Cronto code, and only the intended recipient’s device can scan the code. All data is encrypted and the communication between the customer and the bank is secure.
What BBVA’s Corporate Clients Think About Cronto Technology
BBVA upgraded to Digipass 760 and 785 authenticators with Cronto technology for two reasons.
“First, it’s very important for us to use the latest technology. At BBVA, we continuously invest in security and innovation. Second, because Cronto is very visual. What you see is what you sign. Our clients can see their transaction on-screen and confirm that it matches what is on their authenticator device,” says Mr. Bolaños.
The QR-like code can even transmit additional messages to the customer. For example, say an organization’s treasurer was transferring money to a supplier’s account. If the bank has already identified this account as a mule account, the bank can use Cronto technology to warn the client in a message to ask them to be careful because the account they want to transfer money to has been identified as an account associated with past frauds.
Corporate finance professionals who are clients of BBVA talked about how the simplicity and security offered by OneSpan’s technology has helped strengthen loyalty towards BBVA. One treasurer from Mexico mentioned how much faster it is to use a Digipass authenticator to authorize a transaction – explaining that it is faster than processes used by other banks.
Additionally, they found there is a high level of ease of use with OneSpan’s Cronto technology. Cronto's visual approach to transaction authorization simplifies the experience because it reduces the user interaction required to verify the transaction details. Clients simply point their Digipass authenticator device (or their verified trusted smartphone) at the screen and enter a response code into the browser. This allows all of the encrypted transaction details to be communicated between the bank and customer without the risk of interception or tampering by hackers.
The Bottom Line
This presentation highlighted how OneSpan’s Digipass devices, paired with OneSpan’s patented Cronto technology, help banks – and their clients – stay ahead of cybercriminals who use social engineering techniques to compromise individuals and organizations. BBVA’s clients expressed confidence and satisfaction with the robust security technologies and policies that BBVA has put in place, and indicated that they intend to use BBVA more often in the future.
You can learn more about OneSpan’s partnership with BBVA and how technology is used to protect people against fraudulent attacks and data breaches by watching the on-demand webinar. (in Spanish only)